In AppSealing Blog

AppSec Mistakes Part 2 Ignoring Risks in Open Source Libraries

Developers often commit the costly mistake of not leveraging the power of open-source libraries and try to reinvent the wheel. Open-source libraries can be advantageously used in developing stock applications through reusability and thus contribute to quick application deployment. Developers can also take advantage of the latest updates, patches, and crowdsourced features open-source libraries generally come with. It is simply not economical nor recommended to develop everything from scratch when you can reuse the codebase wherever applicable. Entrepreneurs and developers should channelize their innovation, effort, and time to matters which essentially propagate business IP and hence remain competitive in the marketplace.

Balanced Approach

Obviously, there ought to be a nuanced approach to implement open-source libraries, thus avoiding blind implementation. If not done properly, this can significantly raise the application’s risk quotient. A single vulnerability in open-source library frameworks has the largest attack surface and can potentially wreak havoc among a huge audience base. Worse, most bugs in dependencies, more often than not, go unnoticed for years, amplifying the risk factor further.

Without having adequate information about the source of open-source components, it is virtually impossible to weigh in the risk factor and take appropriate corrective actions. Hackers are lurking everywhere to exploit vulnerabilities, which can have a rippling impact on an application. Hence, it is indispensable to keep track of open-source components developers use, and where they use them. Such software composition analysis helps in quick turnaround, in case some of the components have been compromised.

Fragmented Information

Another major impediment in handling OS vulnerabilities is that comprehensive information about them is fragmented, and hence hard to keep track on. Even if available, they provide scarce, unreliable details about threat severity and the availability of patches. Though there has been some movement forward, a lot still needs to be done to cover every major open-source framework in the market.

Is Open Source More Secure?

There is a big misconception that still has many takers that open-source components are more secure than their commercial counterparts, though evidence points to the contrary. Open-source libraries are equally, and in certain cases, more vulnerable to security breaches than commercial code.  Developers should understand that components – whether open-source or commercial – are secure as long as continuous manual/automated security testing is done to secure the underlying codebase, and suggested vulnerabilities are duly fixed periodically. These include penetration testing, codebase peer review, static and dynamic security testing, etc.

Developers need to be open for changes in accordance with the evolving application security landscape so that they stay ahead of the curve and keep application snoopers at bay. In the course of reducing overall software development costs, business owners and developers should keep track of open-source libraries they use and take full stock of security risks before implementing them in their applications.

Planned Integrated Approach

In such a fragile ecosystem, it is essential to recognize the threat vectors and find ways to effectively handle situations warranting immediate action. Recognizing the threats posed by open-source libraries, OWASP admitted “using components with known vulnerabilities” in its Top 10 security threat list in 2013. Security tools do come in handy in checking the security risks of using open-source dependencies. But, nothing partakes a planned security audit and regular manual assessment to identify vulnerabilities and patch them, for you never know the hacker may discover vulnerabilities in open-source libraries before the legitimate user could.

AppSealing acts as a one-stop-shop in handling threats emanating from the use of open-source components and keeps a continuous vigil to secure your applications. Dynamically generated reports help developers and business owners to keep a tab over their AppSec initiatives and keep threats at bay.

Govindraj Basatwar, Global Business Head
Govindraj Basatwar, Global Business Head
A Techo-Commerical evangelist who create, develop, and execute a clear vision for teams. Successfully created a SaaS business model with multi Million Dollar revenues globally. Proven leadership track record of establishing foreign companies in India with market entering strategy, business plan, sales, and business development activities.

Leave a Comment

AppSealing to support 64 bit Android AppsBuilding Cybersecurity Strategy in place before it is too late